CVE-2026-34784
HIGHParse Server: Streaming file download bypasses afterFind file trigger authorization
Title source: cnaDescription
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.
References (5)
Core 5
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv
X_Refsource_Misc x_refsource_misc
https://github.com/parse-community/parse-server/pull/10361
X_Refsource_Misc x_refsource_misc
https://github.com/parse-community/parse-server/pull/10362
X_Refsource_Misc x_refsource_misc
https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337
X_Refsource_Misc x_refsource_misc
https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22
Scores
CVSS v3
7.5
EPSS
0.0038
EPSS Percentile
29.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-285
Status
published
Products (4)
npm/parse-server
9.0.0 - 9.7.1-alpha.1npm
parse-community/parse-server
< 8.6.71
parse-community/parse-server
>= 9.0.0, < 9.7.1-alpha.1
parseplatform/parse-server
< 8.6.71
Published
Mar 31, 2026
Tracked Since
Apr 01, 2026